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Abstract 

We construct two new families of basis for finite field extensions. Bases in the first fam- 
ily, the so-called elliptic bases, are not quite normal bases, but they allow very fast Frobenius 
exponentiation while preserving sparse multiplication formulas. Bases in the second family, 
the so-called normal elliptic bases are normal bases and allow fast (quasi-linear) arithmetic. 
We prove that all extensions admit models of this kind. 

1 Introduction 

The main computational advantage of normal basis for a finite field extension F^d /¥q is that they 
allow fast exponentiation by q since it corresponds to a cyclic shift of coordinates, and it can be 
computed in time 0{d). There is a concern however about how difficult is multiplication in this 
context. 

Let a and (3 be two elements in F^d with coordinates a = (Q;i)o^i^d-i and /3 = {Pi)o^i^d-i 
in the given normal basis. Let (7j)o^i<;d-i be the coordinates of the product a x p. Each ji is 
a bilinear form in a and /?. The number of non-zero terms in ji does not depend on i because 
the d corresponding tensors are cyclic shifts of each others. This number of terms is called the 
complexity C of the normal basis. Multiplication with the straightforward algorithm can be done 
with 2dC operations (dC when coefficients of the bilinear forms 7^ are all ±1). It was shown 
by MuUin, Onyszchuk, Vanstone and Wilson [fT5] | that the complexity C is at least 2d — 1. This 
bound is reached by the so-called optimal normal bases. But such optimal normal bases only 
exist for very special extensions. As a general fact, normal bases with bounded complexity are 
not known to exist, unless the degree d takes very special and sparse values. 

Normal bases with low complexity usually are constructed using Gauss periods as in work 
by Ash, Blake and Vanstone |l2l or Gao and Lenstra IfTTTl . The construction uses r-th roots of 
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unity where r = kd + 1 is prime. It requires that q generates the unique quotient of order d of 
(Z/rZ)*. The parameter k is very important and should be kept as small as possible, because the 
complexity of the normal basis is bounded by (d—l)k + d and is not expected to be much smaller 
ifTOl Theorem 4.1.4]. Optimal normal bases occur when k = 1 or k = 2. This corresponds to 
very sparse values of d. In general, for q a prime, assuming the Extended Riemann Hypothesis, 
it has been shown by Adleman and Lenstra [IJ that there exists a k and a r as above with r = 
0{d'^{log{dq)y). This is unfortunately of no use when bounding the complexity. In some cases, 
there is no k at all [22, Satz 3.3.4]. We shall not survey all the variants and improvements for this 
method. We just quote works by Christopoulou, Garefalakis, Panario and Thomson [7] where 
traces of optimal normal bases are shown to have a reasonable complexity in some special cases. 
Wan and Zhou show [21] that the dual of type I optimal normal bases have good complexity too. 

Gao, von zur Gathen and Panario show [[T2ll that fast multiplication methods (like FFT) can be 
adapted to normal bases constructed with Gauss periods. They give a multiplication algorithm in 
such a normal basis with complexity 0((iA;log((iA;) log | log{dk)\). This is a considerable progress 
for Gauss normal bases with bounded k. But in the general case, k being only upperbounded by 
0{d^{log{dq))'^), this is just too large. 

In his thesis [[TOll Gao presented a new way of constructing normal bases with low complexity. 
In Gao's construction, the Lucas torus and its isogenics play an important, though implicit, role. 
Gao thus constructs more normal bases with low complexity. In our work, we consider the re- 
maining algebraic groups of dimension one: elliptic curves. Since there are many elliptic curves, 
we can enlarge significantly the number of cases where a normal basis with fast multiplication 
exists. 

In order to state our results, we shall need the following definition where vi stands for the 
valuation associated to the prime i. 

Definition 1 Let p be a prime and q a power of p. Let d ^ 2 be an integer. 
We denote by d^ the unique positive integer such that for every prime i 

• ve{dq) = ve{d) ifi is prime to q — 1, 

• ve{dq) = ifvi{d) = 0, 

• Vf{dq) = max(2t>^(g — 1) + 1, 2ve{d)) ifi divides both q — 1 and d. 

For example, if d = 14 and q = 654323 then q-l= 2.19.67.257 and dq = 2^.7. 
Note that dq = d whenever d is prime to g — 1. 

We now can state our first result. 

Theorem 1 To every couple {q, d) with q a prime power and d ^ 2 an integer and dq ^ q^ , 
one can associate a normal basis Q{q, d) of the degree d extension of¥q such that the following 
holds: 

• There exist a positive constant K and an algorithm that multiplies two elements given in the 
basis <d{q,d) at the expense of5d'^ + 2d multiplications and 5d'^+Ad additions/subtractions 
in Wq. The amount of necessary memory is ^ Kd log q bits. 
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There is also a fast arithmetic version of Theorem [U 

Theorem 2 To every couple {q, d) with q a prime power and d > 2 an integer and dg ^ qK 
one can associate a normal basis 6(g, d) of the degree d extension of¥q such that the following 
holds: 

• There exist a positive constant K and an algorithm that multiplies two elements given in 
the basis 9(g, d) at the expense of Kd log d log | log d\ operations in Fg. 

• There exists an algorithm that divides two elements given in the basis Q{q,d) at the expense 
of 

Kd{\ogdy\og\\ogd\ 

operations in ¥q. 

The basis 6(g, d) that appears in Theorem [Hand Theorem |2] has a multiplication tensor that 
mainly consists of 5 convolution products. We also construct a basis d) having a sparse 
multiplication tensor. Sparsity is useful when using such constrained devices as circuits. Further, 
this basis d) allows a faster elementary multiplication algorithm than 6(g, d). It is not quite 
a normal basis but exponentiation by q is still done in linear time. 

Theorem 3 To every couple {q, d) with q a prime power and d > 2 an integer and dq ^ 2q^, 
one can associate a basis fl{q, d) of the degree d extension of¥q such that the following holds: 

• There exist a positive constant K and an algorithm that computes the q-th power of an 
element given in basis Q{q, d) at the expense ofd — 1 multiplications and 2d — 3 additions 
in ¥q. The amount of necessary memory is ^ Kdlogq bits. 

• There exists an algorithm that multiplies two elements given in basis d) at the expense 
o/(31(i^ + 6d)/12 multiplications, d'^/12 inverses and (37(i^ + 30(i)/12 additions/subtrac- 
tions in ¥q. The amount of necessary memory is ^ Kdlogq bits. 

The following result is valid without any restriction. 

Theorem 4 To every couple {q, d), one can associate a model d) of the degree d extension 
of¥q such that the following holds : 

There exists a positive constant K such that the following is true : 

• Elements in ¥qd are represented by vectors with less than i^'(i(log(i)^(log(log(i))^ compo- 
nents in ¥q. 

• Addition (resp. substraction) of two elements in F^d requires less than 

Kd{\ogdf{\og{\ogd)f 

additions (resp. substractions) in ¥q. 

• Exponentiation by q consists in a circular shift of the the coordinates. 

• There exists an algorithm that multiplies two elements at the expense of 

Kd{logdf\log{logd)f 
multiplications/additions/substractions in ¥q. 
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• There exists an algorithm that divides two elements at the expense of 



Kd{\ogdf\\og{\ogd)\'^ 



multiplications/additions/substractions in ¥q. 

So, for every finite field extension, there exists a model that allows both fast multiplication 
and fast application of the Frobenius automorphism. 

In Section [2l we recall simple relations between low degree elliptic functions. We show in 
Section [3] that evaluation of such functions at a well chosen divisor produces an almost normal 
basis for the residue field. Relations between elliptic functions result in nice multiplication for- 
mulas in this basis. Such bases have similar properties to those constructed by Gao in his thesis: 
they have low complexity. This is shown in Subsection 13.31 In Section SI we construct normal 
bases allowing fast (quasi-linear) multiplication. We show in Section [5] that an elliptic basis ex- 
ists for any degree d extension of provided d is not too large. We explain in Subsection 15.21 
what to do when d is large. In Subsection l5.4l we introduce a polynomial basis that can be related 
efficiently to the elliptic (normal) basis. We deduce a fast inversion algorithm for elliptic normal 
bases. 

We further support our claims with extensive experiments using the computational algebra 
system MAGMA [4J. We developed for this task a package, named ELLBASIS, the sources of 
which are available on the web page of the second author. 

Acknowledgments: We thank Cecile Dartyge, Guillaume Hanrot, Gerald Tenenbaum and lie 
Wu for pointing Iwaniec's result on Jacobsthal's problem to us. 

2 Linear and quadratic relations among elliptic functions 

In this section, we study the simplest elliptic functions: those with degree 2. We prove simple 
linear and quadratic relations between these functions. The monography [[T9l by J. Silverman 
contains all the necessary background about elliptic curves. 

Let K be a field and let E be an elliptic curve over K. We assume E is given by some 
Weierstrass equation 



Y^Z + aiXYZ + asFZ^ 



We set X = X/Z, y = Y/Z and z 



—x/y = —X/Y, and we find 



X 



a2 - a-^z + U[z j , 



z^ z 



y = 




The involution P = {x, y) 



^ -P 



{x, —y — aix — as) transforms z into 



z{-P) 



X 



= —z — aiz^ 



{a\ + a^)z^ + 0(^5) . 



y + aix + as 
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If A is a geometric point on E, we denote by ta the translation by A. We denote by za = 
z o the composition of z with the translation by —A. We define xa and ua in a similar way. 
The composition of za with the involution fixing A is —ZA — aiz\ — alzA — (a? + ci3)-2l + 
The composition of with the involution fixing A is —1/za + cti + a^z^ + 0{za)- 

If A and B are two distinct geometric points on E, we denote by ua,b the function on E 
defined as 

^ VA - - 

Xa — x{A — B) 

It has polar divisor — [A\ — [B]. It is invariant by the involution exchanging A and B, 

uaA^ + B-P)= ua,b{P) ■ 

Its Taylor expansion at A is ua,b = —^I^a — xa{B)za + {yA{B) + az)zA^ + 0{z'a) ■ 

If C is any third geometric point, we set T{A, B, C) = ua,b{C). This is the slope of the 
secant (resp. tangent) to E going through C — A and A — B. It is well defined for any three 
points A, B, C such that B, C} ^ 2. It is finite if and only if B, C} = 3. We check 

T{-A,-B,-C) = -T{A,B,C) -ai. (1) 

The Taylor expansions of ua,b at A and B are 

ua,b = -— - xa{B)za + {yA{B) + 03)4 + 0{z\) 

Za 

= — - ai + xa{B)zb + iVAiB) + aiXA{B))zl + 0(4)- 

As a consequence ub^a = —ua,b — o-i, xb{A) = xa{B) and ysi^) = —yA{B) — aiXA{B) — as 
and examination of Taylor expansions at A, B and C shows that 

ua,b + ub^c + uc,A = ^{AB,C) - ai (2) 

and 

r(A, 5, C) = ub,c{A) = ucAB) = uaAC) = -uba^C) - a,. (3) 

We deduce 

UB,c = UB,c{A) - {xa{C) - xa{B))za + ivAiC) - yA{B))z\ + 0(4). 



By comparison of Taylor expansions at A, B and C we prove 

ua,bUa,c = xa + ub,c{A)ub,c - u%AA) - aiUA,B + xa{B) + xa{C) + 02 
or, derived from Equation 

ua,bua,c = xa + T{A, B, C)ua,c + T{A, C, B)ua,b + 02 + xa{B) + xa{C). (4) 
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Indeed, 

(-— - xa{B)za + ivAiB) + a3)4)(-— - xa{C)za + + a3)4) + 0(4) 

za za 

= \+ xa{B) + xa{C) - ivAiB) + VAiC) + 2as)zA + 0(4). 

So, ma.bm^.c— 3;A+ai'U^_B— Xyi(-B)— Xyi(C)— a2 cancels at A and its polar divisor is — [i?] — [C]. 
Its residue at B is —UA,BiC)- This proves Equation dH). 

In the same vein, we prove 

u\b = + xb - aiUA,B + xa{B) + a2. (5) 

Indeed, 

uXb = (-— - xa{B)za + ivAiB) + a3)4)' + 0(4) 

Za 

= \ + 2xa{B) - 2{yA{B) + 03)2;^ + 0(4) 



and similarly 



u 



AB = { «i + xa{B)zb + (i/a(5) + aix^(5))4)2 + 0(4) 

Zb 



\-'^ + a\ + 2xa{B) + 2yA{B)zB + 0(4 



Sou\q — xa — xb + aiUA,B = xa{B) + 02- 



2:5 



Here are more explicit formulas. For A and B distinct, 

-Uo,A - fll 

y+y{B) + ai x{B)+a;i 
x-x(B) 



Ua,B 



ai y(A)-?, x(A)'^ -2 a2 x(A)-a4, _ aix+az+2y(A) 
2y{A)+a-ix{A)+as x-x{A) 

y(B)+y{A)+a-^ x{A)+a3 
x{B)-x{A) 



if B = 0, 
ifA = O, 

ifB = ~A. 



ixiB)-xiA))(y+ajx+as)+{yiB)--y{A))x+yiA)xiB)-yiB)xiA) 



' {x-x(A)){x-x(B)) 

Especially, when A = O, provided B and C are distinct and non-zero, we have 



otherwise. 



T{0,B,C) 



3x{Bf+ai {y{B)+aix{B)+a3)+2 a2 x{B)+a4 -r^ 
2y{B)+ai x{B)+as ^'^ ^ 



-B 



y(C)+y{B)+aix{B)+ai 
x{C)-x{B) 



Otherwise. 



(6) 



These formulae can be derived from the definition of r(y4, 5, O) as a slope, using the explicit 
form of the addition law on elliptic curves. 
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3 Elliptic bases for finite fields extensions 



In this section, we use elliptic functions to construct interesting bases for many finite field exten- 
sions. 

Assume E is an elliptic curve over a finite field K = Fg and let c? ^ 2 be an integer. Let 
t G E{¥g) [d] be a rational point of order d. We call T the group generated by t. Let cf) : E E 
be the Frobenius endomorphism. Let h E E(K.) be a point such that 0(6) = b + t. So b belongs 
to E(L) where L is the degree d extension of K. We denote by E' the quotient E/T and by 
I : E ^ E' the quotient isogeny. We also assume db ^ O E E. We set a = 1(b) and check 
a E E'{¥g). For another use of Kummer theory of elliptic curves in order to construct efficient 
representations for finite fields, see BUl. 

3.1 The elliptic basis Q 

We denote by n the system {ujk)kez/dz defined as 

uq = 1 and Uk = uo,kt{b) E L for A; 7^ mod d . 

Lemma 1 With the above notation, the system Vt = {uq, uji, . . . , ujd^i) is a K basis o/L. 

Proof. Indeed, let the for k E Z/rfZ be scalars in K such that J2kez/dz^k^^k = 0. The 
function / = Aq + ^Oj^kez/dz ^kUo,kt cancels at b and also at all its d conjugates over K (because 
/ is defined over K). But / has no more than d poles (the points in T). If / is non-zero, its divisor 
is (/)o - (/)oo with (/)o = Etert^ + t] and (/)oo = EtgrW- We deduce d x b is zero in E. 
But this is impossible by hypothesis. Examination of poles shows that all A^ are zero. 

□ 

We call such a basis as Q an elliptic basis. It enjoys nice properties as we shall see. 
We set 

Tk,i = T{0,kt,lt) eK 

for any distinct non-zero k, I E Z/dZ. For any k E Z/rfZ, we set furthermore ^k = Xkt{b) E L. 
If A; 7^ mod d, we set Uk = xo{kt) E K and pk = yo{kt) E K too. 

Let now $ : ^ be the g-Frobenius automorphism. We have xo{b) = ^0 and $(^0) = 
xo{(j){b)) = Xoib + t) = x^t{b) = ^-1. There exist d scalars (Kfc)o^fe^(i-i in K such that 

Co = ^ i^k^k- (V) 

We have for A; 7^ 0, 1 mod d, 

^{uJk) = uo,kti4>{b)) = uo,kt{b + t) = u_t,(k-i)t{b) 

= uo,ik^i)tib) - uo,-t{b) + r(0, -t, (k - l)t) 

= Uk-i - io^i + r_i^fe_i (8) 
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using Equation Similarly 

= uo,tib + t) = u^t,oip) = -uj-i - ai and ^{ujq) = ujq . (9) 

Equations ([8]) and Q show that the action of Frobenius is expressed very easily in an elliptic 
basis. 

As far as multiplication is concerned, we set A = O, B = kt and C = It in Equation (H)), and 
we evaluate at b. We find, for k and / distinct and non-zero in Z/dZ, 

^k^i = io + T_k-i^k + rfc,/u;/ + Vk + + a2 ■ (10) 

In the same vein, from Equation ([5]), we obtain for any non-zero k in Z/rfZ, 

ujI = aiujk + ik + i^k + a'2. (11) 

So, if we multiply two K-linear combinations of the c<j's, we quickly get a linear combination of 
the cij's and ^'s using Equations (flOl) and ([TT]) . We then reduce (eliminate all the ^k) using the 
expression of in the basis Vl given by Equation We also use Equation ([8]) to deduce the 
expressions of all ^^'s in the basis Vt. 

We don't need to store all constants V^ i. Equation Q allows to recalculate all these d? 
quantities from the Uk and pk. Moreover, we use in the following that only a small amount of 
these coefficients has to be computed due to symmetry relations ^ and ([U) and invariance by 
translation. 



Example. Let K = F7 and c? = 5, we first consider the elliptic curve E of order 10 defined by 
y'^ + xy + by = x^ + ?)x'^ + 2)X + 2. The point t = (3, 1) generates a subgroup T C E of order 
5, and with E' = E/T defined hy y'^ + xy + 5 y = x^ + 3 x"^ + A x + 6 , we find 



/ : {x,y) 



x^ + 2x^ + 5x + 6 
+ 3 a;2 + 4 ' 

{x^ + 4:X^ + 3x^ + 6x'^ + 3x + 4:)y + 3x^ + x^ + x^ + 3x'^ + 4:X + 1 

x^ + x^ + 5x'^ + Q 



Let now a = (4, 2), we define L with the irreducible polynomial (r^ + 2 + 5 r + 6) — 4 (r^ + 
3r2 + 4) =r5 + 3r4 + 4r2 + 5r + 4,andweset6= (r : r^^^*^). 
We find 

. ^ _ f y + 2 y + 2 y y + 6' 

[Uo,kt)keZ/dZ — \ -L, 



'x + 4'x + 3'x + 3'x + 4 
so that, 

f]= (l,rl0884^/1164^ ^9837^ ^15166^ _ 
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3.2 A cell decomposition of the torus 



Equations dU) and ([3]) show that the quantity T(A, B, C) is covariant for the symmetric group 1S3 
and even for 1S3 x {1,-1}. It is also invariant by translation, 



Altogether, F is covariant for the group -E'(K) xi (53 x {1,-1}). 

These covariance properties are useful when computing the TkX- we divide by 12 the amount 
of work. Since in that case, A = B = kt and C = It lie in the group T =< t >, a cyclic 
group or order d, it makes sense to study the action of (Z/(iZ) x (53 x {1,-1}) on the group 
{JjjdXf . In particular, we are interested in fundamental domains for this action. It turns out that 
it is more natural to study first the action of R'^ x (^3 x {1,-1}) on R'^. In this subsection we 
justify the choice of fundamental domain that is made in Subsection [331 

Let ^/^ : M'^ ^ C be the map that sends the triplet (a, 6, c) onto a + 6p + cf? where p = 
exp(2z7r/3). This is a group homomorphism. Its kernel is the diagonal subgroup of R'^. The 
group ^3 X {1,-1} acts on and we have the following covariance formulas 



So the map i\) induces a bijection between the quotient of R'^ by R x (53 x {1,-1}) and the 
quotient of C by /ig x {1, conj} where pe is the group of sixth roots of unity and conj is complex 
conjugation. 

The image of 1? C R^ by is the ring of Gaussian integers. Since 1? is normalized by 
1S3 X {1,-1}, the map induces a morphism ^ : U'^ — > Tq where U = R/Z is the unit circle 
and To = C/(Z + pZ) the complex torus with zero modular invariant. This map ^ is covariant. 
We denote by A the lattice Z + pZ. For any ^ 2 an integer, we denote by Ufrf] the d-torsion 
group of U and To \d\ the one of To. We denote by the map from Vs\£f to Tq [d] induced by 

Let k and I be two elements in U and let z = kp + Ip^ E Tq the image of (0, fc, /) by ijj. 
We compute the stabilizer of z in pg x {l? conj}. It is clear that z = z mod A if and only if 
k = I mod 1. The set of fixed points by complex conjugation is the circle made of real points 
in Tq. In the same manner we show that —pz = z mod A if and only if z lies on the circle 
with equation k = 21 mod 1. Similarly p'^z = z mod A if and only if / = mod 1. And 
—z = z mod A if and only if A; = — Z mod 1. And pz = z mod A if and only if A; = mod 1. 
At last —p'^z = z mod A if and only if 2fc = / mod 1. 

The only fixed point of z mod A 1-^ —pz mod A is 0. The same is true for z mod A 1-^ 
—p'^z mod A. 

The map z mod A t-^ pz mod A has three fixed points, namely 0, (p — p^)/3 and its opposite. 
These are the fixed points of z mod A 1-^ p'^z mod A also. Altogether, these three points form the 
intersection of the three circles with equations k = 21 mod 1,1 = 2k mod 1 and I = —k mod 1. 

The complementary set of the six circles above consists of 12 triangles. Each of these trian- 
gles (with its boundary) is a fundamental domain for the action of pe x {1, conj} on the torus. 



V{A + P,B + P,C + P) = V{A, B, C). 



ip{a, c, b) 
ip{c, a, h) 
ip{—a, —b, — c) 



ij{a,b, c) , 
pip{a, b, c) , 
—ipi^a, b, c) . 
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Figure 1 : Cell decomposition of the torus 

The intersection of such a triangle with Tq [d] gives a fundamental domain for the action of yUg x 
{1, conj} on To[(i]. This is also a fundamental domain for the action of (Z/dZ) x {S^ x {1,-1}) 
on {Z/dZf. 

3.3 Complexities 

Given an elliptic basis = {ujk)kez/dz, we now focus on the complexity of algorithms for 
computing the Frobenius or the multiplication of two elements. To be as efficient as possible, and 
since operands of the algorithms are already of size dlogq, we assume that any precomputation, 
the storage of which does not exceed O (dlogq), is possible. 

We first have the following result. 

Lemma 2 Let a = Yl'i=o '^i^i ^ Then there exists algorithms that compute $(a;) and 
at the expense of d — 1 multiplications and 2d — 3 additions in K, among which are 
one multiplication and one addition because of the coefficient ai. 

Proof. Plugging Equation ^ and Equation ^ in Yltl^o ^i^i^i) '^^ YltZo (^i^^^i^i) proves 
the correctness of Algorithm 13.11 and Algorithm 13.21 And, once precomputed the F^^.i j's and 
Tj^d-i's, the complexity is obvious. 

□ 

Multiplying two elements in such a basis can be done with good complexity too. 

Lemma 3 Let a = J2i=o ^i^i ^ '^"^ — YltZl Pi^i £ L. Then there exists an algorithm 
that computes the product a x [3 at the expense of 
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Algorithm 3.1 EllipticFrobenius 

Frobenius of an element given in an elliptic basis. 

INPUT : a = (ai)o^Kd-i ^"ch that a = YhZI oti^i S L- 
OUTPUT : 7 = (7i)os;i$d-i such that 7 = YllZn H^i = ^(«) £ L. 
return (gp - aiai + I].f=2 (^j^d-i,j-i-,a2, «d-i, - J2'j=i "i) 



Algorithm 3.2 EllipticFrobeniusInverse 

Inverse Frobenius of an element given in an elliptic basis. 

input : a = {ai)o^i<^d-i such that a = YlfZo o-iU^i £ L. 

OUTPUT : 7 = (7i)o$i$d-i such that 7 = Y.i=n It^i = ^'H") £ L. 

return (qq + "j-rj^rf,! - ai«rf_i, - X]j=i «j, , 



• (37 + 30 (i - 7£: - 60)/12 additions, (32 c/^ + 42 ci - 2£: - 48) /12 multiplications and 
{d? — e)/12 inversions in K, 

where e = 12, 1, 4, 9, 4, 1 respectively for d = 0, . . . , 5 mod 6, among which are (rf^ + 12d — 
e — 24) /12 additions and (c?^ + 36d — e — 48) /12 multiplications because of the coefficient ai, 
{d"^ — e)/12 additions because of the coefficient a^. 

Proof. We prove the correctness of Algorithm 13 . 3 1 and establish its complexity. 
Correctness. Equations (01) and ([5]), for k ^ I, yield 

{ui if A; = , 

^0 + 02 - CLi^k + ^~''{^o) + i^kUJQ if / = and > , 

^0 + 0-2- aiUk + Tk,i {uji - ujk) + iyk + T^i) t^o otherwise . 

And we have, 

d-1 d-l d-1 d-1 

a X /3 = ^ ^ akPiuJkUJi = (^ ak) (^ A) (^0 + 02) 

fc=0 1=0 k=l 1=1 

(d-1 d-1 d-1 d-1 \ 

fc=i «=i fc=i 1=1 J 

d-1 d-1 
k=l k=l 

-ai ^ ak(3iUk+ ^ rfc,/afcA(t^« - t^fc) • (12) 

0<k,l<d 0<k,l<d 
k^l 
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Algorithm 3.3 EllipticMultiplication 

Product of two elements given in an elliptic basis. 

INPUT : d = (a:i)o<j^d-i and /3 = (A)o^i<d-i such that a = Y^'^Iq aiUJi, (5 = Y^^'q G L. 
OUTPUT : 7 = (7i)o^i^d-i such that 7 = YltZn -yjUJi = a x l3 e L. 

1. Sa := ; Sb := /3i ; 70 := ; 71 := -aiSbUi ; 

2. for := 2 to d - 1 do Sa+:= Ok-i ; Sb+:= Pk ; Ik ■= -ai{sbak + SaPk) ; 

3. Sa+:= ad-i ; (70, • • . ,7d-i)+:= SaSb (kq + 02, /^i, • • • ^d-i) ; 
4- < := Eiti (Xi^i ; := Eiti PiJ^i ; 70 +:= Sa^fe + s'^Sb ; 

5. for A; := 1 to d — 1 do 

6. 5 := afe/3fe ; 70+:= S {{^-\^o))o - i^k) ; lk--= S Efji i^f, 

7. for Z := 1 to A; - 1 do 7^+:= 6 K,(^d-k+i) mod d; 

8. for / := A; + 1 to d - 1 do 7^+:= 6 K,{d-k+i) mod 

9. (70, • • • , 7d-i) +:= (ao/3o, "i/^o + "o/^i, • • • , "d-iA + "o/^d-i) ; 

10. ifdmod3 = 0then 

11- := -(3 1'ad/a + 2a2i^2d/3 + a4)/(2p2d/3 + aiJ^2d/3 + aa) - ai ; 

12. 5 := 5 (a2(i/3/?d/3 + ad/Ad/z) \ 72d/3 <^ ; 7d/3 +:= ; 

13. for := 2 to [(2d - l)/3j by 2 do 

14. ^ := k/2 ; 5 := {pi + pk + aiUk + as)/ {n - ^k) ; 

15. 11,12 := 2l,d - I; ji,j2 ■.= d-2l,l; 

16. := 5 (ail /3i2 + "i2 /^n) ; ^21 := 9 {oii^ + "ii (^h) ' ^22 := g (ajj /3i2 + "j2 A2) ; 

17. 7ii — := (5i2 ; 7i2 — := <52i + S22 ; 7ji +■= '^21 ; 7j2 +■= <^12 + <^22 ; 

18. for A; := [1 + d/2j to [(2d - 1)/3J do 

19. I := 2A; mod d; g := {pi + pk + aiVk + 03)/ {^i - ^k) \ 

20. «i, ^2 := A;, (2d — 2A) mod d ; j'l, ^'2 := (2A;) mod d,d — k; 

21. 5ii := 5 (ttii /3ji + aj^ ) ; S22 ■= g ("12 Pj2 + "i2 A2 ) ; ^12 := g ("ii Pj2 + "i2 Ai ) ; 

22. 7n -:= (^11 + Su ; 7^2 ^22 ; 7ji <^ii ; 7j2 +■= <^22 + (^12 ; 

23. for A; := 3 to [(2d - 1)/3J do 

24. for I := max(l, 2A; - d + 1) to [(A; - 1)/2J do 

25. g := {pi + pk + aiUk + as)/ {vi - Vk) ; 

26. ^1, ^2j ^3 := k, d — l,d — k + I ; ji, j2,i3 := d — k,l, k — I; 

27. 5i2 := 5 (oii /3j2 +"i2 Ai) ; <^13 := 5 ("n As +ai3 Ph) hi ■= g (oia Pji+(^h (^h) '■> 

28. := 5 (aj2 As + "is A2 ) ; hi ■= g ("ig Pji + "ii A3 ) S32 ■= g (ois A2 + «i2 A3 ) ; 

29. 7ii -:= (5i2 + (5i3 ; 712 -:= S21 + S23 ; 7i3 -'■= hi + S32 ; 

30. 7ji +:= 621 + (531 ; 7^2 +:= <5i2 + ; 7j3 +■= hs + ; 

31. return (7i)o<i<d-i 
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The first two terms of this sum are computed at steps 3. and 4. of the algorithm. The three next 
terms are computed in steps 5. to 9. Especially, steps 5. to 8. correspond to the action of on 
,^0 (the quantity (^^''(^o))o, at step 4., is the first coordinate of $^^(,^o) written in basis fi). 

The constants Tk^i satisfied 12 symmetry relations and we take advantage of them to compute 
the two last terms of the sum. More precisely, for k and / distinct and non-zero in Z/dZ, we have 

^k,l = ^-l-k = ^k,k-l = ^l-k,-k = ^l-k,l = ^-l,k-l , ^ "P _ "P 
p_-p _ Y _p _p _p ^'^^ ^ k,l — — i l,k — fll • 

All of these relations can be proved thanks to Equation ([3]) and Equation ([T]). For instance, to 
check that Tfcj = r;^fc_fc, we start from r(0, H, /t) = uo,ktib+kt)+Ukt,it{b+kt)+uit,oib+kt), 
and we find T{0, kt, It) = U-kt,o{h) + uo,{i~k)t{h) + U(i^k)t-kt{b) = T{0, (/ - k)t, -kt) . 




Figure 2: Symmetry relations on the coefficients Vk^i (d = 42) 

We use first that Tk,i = — ^ — ai and we rewrite the last two terms of Equation (fT2l) as 
follows, 

d-l k-1 k 

k=l 1=1 1=1 0<l<k<d 

The first term of this sum is computed at at steps 1. and 2. of the algorithm. To compute the last 
term, we consider in turn each orbit of the action defined by the symmetries on the coefficients 
Ffc,/. We choose as a fundamental domain for this action the triangle delimited by the circles 
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I = 1, k = 21 mod d and I = 2k mod d (cf. Figure [2l). It is cumbersome, but not difficult, to 
check that any point of this domain, outside the two circles k = 21 mod d and I = 2k mod d, 
has an orbit of exactly 12 points: we compute only once the constant r^,; corresponding to these 
12 points and we calculate accordingly their contribution to the product a x p. These are steps 
23. to 30. of the algorithm. 

Points on the line k = 21 mod d have orbits of only 6 points. We precisely have T2i^i = 
T_i_2i = T_i^i = -Ti^2i - cti = -T-21-1 -0-1 = -r^ _/ - fli , and this yield steps 13. to 17. of 
the algorithm. Similarly, points on the line I = 2k mod d have orbits of only 6 points too. We 
have Tk,2k = ^-2k,^k = ^k-k = -'r2k,k - cti = -T^k-2k - ai = -T-k,k - ai and this yield 
steps 18. to 22. of the algorithm. 

Finally, when d is divisible by 3, the two circles k = 21 mod d and I = 2k mod d meet at the 
exceptional point (2d/3, d/3), which is on the A; + / = mod d line too. This point has an orbit 
of only 2 points, i.e. T2d/3,d/3 = —^d/3,2d/3 ~ '^i • yields steps 10. to 12. of the algorithm. 

Complexity. We precompute the d constants and p^, the constant ^2di34i3 if d mod 3 = 0, 
the d coordinates in the basis of ^q, their sum X]f=i '^o + (^2 and the c^o-coordinates of all 
^''(^o) - I'k ior k ^ d - 1. 

Then, Steps 1.-2. need 3d — 7 additions and 3d — A multiplications in K (among which are 
d — 2 additions and 3d — A multiplications because of ai). Step 3. needs d + 1 additions and 
d + 1 multiplications in K, Step 6. needs d — 1 additions and 2d — 2 multiplications in K, Steps 
7.-8. need d"^ — 2d + 1 additions and d"^ — 2d + 1 multiplications in K, Step 9. needs 2d — 1 
additions and 2d — 1 multiplications in K, Steps 11.-12. need 3 additions and 3 multiplications 
in K if c/ is a multiple of 3 (and cost nothing otherwise). Steps 13.-17. consist in [{d — 1)/3J 
iterations and Steps 18.-22. consist in [(d — 5 + 6e')/6\ (where e' = if mod 6 = Oande' = 1 
otherwise), each of them needs 16 additions, 11 multiplications and 1 inversion in K (among 
which are 1 addition, 1 multiplication because of ai and 1 addition because of as), and finally, 
Steps 23.-30. consist in [(i^/12j — [d/2\ + e" iterations (where e" = if mod 6 = 1,5 and 
e" = 1 otherwise), each of them needs 25 additions, 12 multiplications and 1 inversion in K 
(among which are 1 addition, 1 multiplication because of ai and 1 addition because of as). 

Adding all these complexities yields the complexity announced. 

□ 

Depending on the characteristic of K, it is classical to consider the reduced Weierstrass 
Model to define elliptic curves. We give in Table [3] precise complexities for these cases, all 
obtained with Lemma [3l 

4 Elliptic normal bases 

In this section, we assume that we are in the situation of Section[3l So E is an elliptic curve over 
a finite field K = and ^ 2 is an integer. Let t E E(¥g) [d] be a rational point of order d. We 
call T the group generated by t. Let (p : E ^ Ehe the Frobenius endomorphism. Let b E E{K.) 
be a point such that 0(6) = b + t. So, b belongs to E(L) where L is the degree d extension of 
K. We denote by E' the quotient E/T and hy I : E ^ E' the quotient isogeny. We also assume 
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Condition 


Model 


Add. 


Mult. 


Inv. 


Char(K) / 2,3 
Char(K) = 3, Je + 
jB = 


= + 04^ + 06 

y2 = x3 + 02^2 + ae 


35 d2+i8d-5e-36 
12 


31cZ2+6 d-£ 
12 


12 


Char(K) =2 j^j / 
ji? = 


y2 + Xy = X3 + 02^2 + 06 

y2 + a3y = X3 + 04X + 06 


6d^+5d-E-10 
2 

6d2+3d-£-6 
2 



Figure 3: Elliptic multiplication complexities 



db ^ O & E. We set a = I{b) and check a E E'(¥q). We further assume there exists one point 
R in E{¥q) such that dR^O. 

We construct a normal basis for L, the degree d = extension of K. In this basis, the 
product of two elements can be computed at the expense of 5 convolution products between 
vectors of dimension d. Such bases may be preferred to the ones constructed in Section [3] when 
d is large enough, depending on the implementation context. 

4.1 The elliptic normal basis 6 

We start with a lemma concerning the sum J2k&/dz ^fct,(fc+i)t- 

Lemma 4 The sum J2kei./dz'^kt,{k+i)t is a constant c G K. If the characteristic p o/K divides 
the degree d, then c 7^ 0. 

Proof. The sum Ylik&/dz '^kt,(k+i)t is invariant by translations in T. So it can be seen as a func- 
tion on E' = E/T. As such, it has no more than one pole. Therefore it is constant. 

Assume now p divides d and T.kei./dz^kt,{k+i)t = 0. The sum T.kez/dz^'^kt,ik+i)t is thus 
invariant by translations in T. So it can be seen as a function on E' = E/T. As such, it has 
no more than one pole. Therefore it is constant. However, seen as a function on E, this sum 
Y.kez/dz ^Ukt,(k+i)t has a pole at O. A contradiction. 

□ 

So at least one of the two following conditions holds: either d is prime to p or c 7^ 0. In any 
case, there exist two scalars a 7^ and b in K such that ac + db = 1. For k E Z/dZ we set 
Uk = aukt,(k+i)t + b and Xk = xu- 

We denote by 6 the system {Ok)kez/dz defined as 6k = Uk{b). We have J2kez/dz ^fe = 1 ^ K. 
and^iOk) = 0k-i. 

Lemma 5 With the above notation, the system (mq, ui, . . . , Ud-i) is a basis of 

keZ/dZ 
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The system 6 = (^^O) ^i, • • • , Qd-i) is a K basis ofh. 

Proof. Indeed, let the for k E Z/dZ be scalars in K such that J2kez/dz ^k^k = 0. The 
function / = XlfeGZ/dz '^kUk cancels at b and also at all its d conjugates over K (because / is 
defined over K). But / has no more than d poles (the points in T). If / is non-zero, its divisor is 
(/)o - (/)oo with (/)o = Y^terl^ + ^] ^^d (/)oo = EterW- We deduce dxbis zero in E. But 
this is impossible by hypothesis. So / is constant equal to zero. This implies all A^'s are equal 
(look at poles). Since the sum of all O^s is non-zero, this implies that all A^'s are null. 

□ 

We call such a basis as O an elliptic normal basis. 
If k,l e Z/dZ and 1,1 + 1,1-1 mod d, then 

UkUi e C 

where C = ^iJ^kez/dzi^'^]) K-vector space generated by all Um for m G Z/dZ. Further 

Uk^iUk + c^Xk e C and u\ — a^Xk — ci^Xk+i G C . 
So if (afc)o<;fe^<i-i and {Pk)o<:ki:d-i are two vectors in K'^, we have 

C^akUk)C^PkUk) = ^ akPk{xk + Xk+i) - ak-iPkXk - a^^Pk-iOikXk raod C 

= a^^{ak-ak-i)iPk- Pk-i)xkraodC. (13) 



Example. Let us continue the example of section[3l i.e. K = F7 and d = 5. We find 

_ f5y + 3 5y + 3x^ + A 4 y {2 x + 8) + 3x^ + 15 x 2y + 2 x + 6 
{Ukt,ik+i)t)k - y-^^ ^^Z^ . (x2 + 5) (x + 4) ' ^+4 

so that c = 3, a = 5, b = 0, and 

Q = ^13159 ^16285 ^9529 ^6163^ 

4.2 Change of coordinates 

Thanks to Equation Q, the 9's can be given in the basis {uj^jk as 

aui + biUo if k = 0, 

9k = { —auj-i — aiaujo + bujo if k = d — 1, 

aujk+i — auk + aTk,k+i + bujo otherwise. 



16 



Inversely, we set = Yli=i ^1,1+1 and we observe that c = Xd-2 — oi- We obtain 

if A; = 0, 

i=0 

a~%-ba-'ZtiO, ifk = l, 

_ I d-l 

I -o-'^_i + (bo-'-ai)^^i ifA; = -l, 

i=0 

k-1 d-l 

^2 ~ {kba'^ + Xk-i) ^ di otherwise. 

i=0 i=0 

This shows that one can compute the change of variable from fl to 6, and back, at the expense 
of 0{d) operations in K. 

4.3 Complexities 

We exhibit an algorithm with quasi-linear complexity to multiply two elements given in an ellip- 
tic normal basis. As often with FFT-like algorithms, it consists in evaluations and interpolations. 

Notation. If c5 = {ai)o^i<^d-i and P = (A)o^i^d-i are two vectors of length d we denote by 
a -kj p = aiPj-i the j-th component of the convolution product. We denote by a{a) — 
{ai-i)i the cyclic shift of a. We denote by ao P = {aiPi)i the component-wise product and by 

— * — * 

a-k P — {a *i P)i the convolution product. 
4.3.1 Reduction 

Given a linear combination of the ^'s we may want to reduce it: express it as a linear combination 
of them's. 

Let r= {ii)o^i^d-i be the vector in K'' such that ^0 = Y^o^k^d-i ^k^k- 

O^fc^d-l Q^k^d-1 

Let a = {ai)o^i^d-i and P = iPj)o^^d-i be vectors in K"* such that 
We want to express the Pj's as linear expressions in the a/s. 

k i k 

We deduce P — V-k a.So P is the convolution product of Tand a. 
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4.3.2 Evaluation 

Let {ai)o^i^d-i be scalars in K. Let R e E(K) — E[d] be a K-rational point on E such that 

We want to evaluate / = ^o<i<(i-i '^i-^* i? + for ^ j ^ d — 1. We set Pj — 
+ ji). Wehave 

/3j = ^ Q;ia;i(i? + jt) = ^ aiXo(-R + (j - i)t) = a fi? 
where fi? = {xo{R + kt))o^k^d-i- So, 

Similarly, we want to evaluate / = Ylo<i<d-i -R + for ^ j ^ o? — 1. We set 

pj = f{R + jt).WQha\Q 

Pj = ^ onUi{R + ji) = ^ Q;iiio(-R + (i - = a-kj ur 
where ur = {uo{R + kt))o<^k^d-i- So, 

— * 

P — UR-kd. (15) 

4.3.3 Interpolation 

Let i? G i?(K) — E[d\ be a K-rational point on E such that dR ^ 0. The evaluation map 
/ I— > (/(-R + ji))o<j<d-i is a bijection from C onto K*^. 

Given the /?j = /(i? + ji) we want to compute the a, such that / = ^osci^d-i Since 
P = Ur k a. we just need to compute once for all the inverse ur^'^^ of ur for the convolution 
product. This inverse exists because the evaluation map is bijective. 

4.3.4 Multiplication 

Let a = {ai)o^i^d-i and (3 = (A)o<i<d-i be two vectors in K'^. We want to multiply Y,i 
and Y^iPi^i- 

We define four functions on E, 

i i 

c = 0? y^x^i ~ Q'i-OIA - pi-i)xi , 

i 

D = AS-C. 
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The product we want to compute is A{b)B{b) = C{b) + D{h). 

From Equation (fT3l) . we deduce that D is in C. From Equation (fT4l) . we deduce that the 
coordinates in of C (6) are given by the vector 

[a^{a - a{a)) o0- . 

According to Equation (fT5l) . the evaluation of A at the points {R + jt)j is given by the vector 
UR-kd. The evaluation at these points of D is (nij>ra)o(n/j7tr/5) — fij>r(a^(a — cr(a))o(/3 — cr(/3))). 
If we -k multiply this late vector on the left by ur^^^^ we obtain the coordinates of D in the basis 
(mq, . . . , Ufi-i). These are also the coordinates of D(h) in the basis 0. 
Altogether, we have proved what follows. 

Lemma 6 The multiplication tensor for normal elliptic bases of type is 

(a\") * ((a - a{a)) o0- + 

u^^~^^ -k {^{uR-kQ)o{uR'k(3) - {a^XR)'k [{a - a{d)) o - a{i3))y^ 

It consists in 5 convolution products, 2 component-wise products, 1 addition and 3 subtrac- 
tions between vectors of size d, the degree of the extension. 

Note that convolution products can be computed at the expense of 0{d\ogd\og \ \ogd\) op- 
erations in K using algorithms due to Schonhage and Strassen [|T7l . Schonhage [fT6ll . and Cantor 
and Kaltofen [5] . 

Note also that it is standard to use elliptic curves (and even curves of higher genera) to bound 
the bilinear complexity of multiplication. One should mention in particular work by Chudnowsky 
IfSl , ShokroUahi [18], Ballet [|3]|, Chaumine |l6l. The tensor we produce here is not competitive 
with theirs from the point of view of bilinear complexity. But this tensor is symmetric enough to 
allow fast application of the Frobenius automorphism. 

Example. In the setting of the examples of Section [3] and Section |4l i.e. K = F7 and d = h, 
we first precompute, with i? = (1, 2) a point of order 10 on .E, 

r= (0,5,5,1,0), = (4,1,5,1,4), ^(-1) = (2, 2, 0,4,0) and = (1,5,5,1,2). 

Now, we are going to multiply ^ • aiOi and fifii with a = (6, 3,6,1, 2) and {3 = (2, 6, 6, 4, 2) . 

We first easily find a - a{d) = (4, 4, 3, 2, 1), (3 - a0) = (0, 4, 0, 5, 5) and thus (a - a(a)) o 
(/3-a(/3)) = (0,2,0,3,5). 
Therefore, 

(a^-)^((a-(T(a))o(/3-(T(/3))) = (6,0,4,5,5), 

{uR^a)o{uR*P) = (0,4,0,3,0), 

(a2xH)^((a-a(a))o(/3-(T(/3))) = (1,1,0,1,4). 
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It remains to compute 

u^^-^^ * {{ur ^a)o {ur ^(3)- {o^xr) * ((a - (y{a)) o0- (t0)))) = (4, 5, 4, 0, 1) , 
and finally, we obtain 

i i 

5 Beyond Gauss periods 

Complexity estimates in Subsection 13.31 and Subsection 14.3.41 suggest that an elliptic basis may 
be preferred to standard normal basis. 

In this section we first show that the main condition for the existence of an elliptic basis is 
that the degree should not be too large. This is explained in Subsection 15. 1[ If this condition 
is not fulfilled, we may translate the field extension along a small auxiliary base change. This 
is explained in Subsection 15.21 We recall in Subsection 15.31 that fast inversion using Lagrange's 
theorem and addition chains is possible in the context of elliptic normal bases. In Subsection l5.4l 
we associate a well chosen polynomial basis to any elliptic basis. We explain how to fast change 
coordinates between either bases. This gives a quasi-linear division algorithm for elliptic bases. 



5.1 Existence conditions for elliptic bases 

Let g be a power of a prime p. Given a finite field and an integer d ^ 2, we want to construct 
an elliptic basis for the degree d extension of Fy. 

We first need some easy properties of the dq (cf. Definition [I]). 

Lemma 7 Let p be a prime and q a power of p. Let d ^ 2 be an integer. 

• Ifdis prime to q — 1 then dg = d. 

• If q — 1 is squarefree then dg ^ d^. 

• In any case dg ^ d'^{q — 1)^. 

• If f ^ I is an integer prime to dip{d) then dgf = dg. 

We can now give a sufficient condition for the existence of an elliptic basis. The necessary 
background about elliptic curves over finite fields can be found in chapter 5 of Silverman's book 

m. 

Lemma 8 Let p be a prime and q a power of p. Let d > 2 be an integer We assume that 

dg ^ 2^. 

Then, there exists an elliptic curve E over Fq, a point t of order d in E{¥q) and a point h in 
E{¥q) such that (j){h) = b + t and the order ofb is a multiple ofd^. In particular db ^ 0. 
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Proof. There are at least too consecutive multiples of dq in the interval [g + 1 — 2 y/g, g + 1 + 2 ^Jq\ . 
One of them is not congruent to 1 modulo p. We call M = \dg this integer and we set t = 
q + 1 — M and A = — 4g. Let O be the maximal order in Q(v^). There exists an ordinary 
elliptic curve E over ¥g such that E has M points over ¥g and End(-E') = O . Let £ be a prime 
divisor of d. We set ee = ve{d). 

Assume first that £ is prime to q — 1. 

It cannot divide both g + 1 — t and \? — Aq. So £ is prime to \? — 4g and is unramified in Z[0] and 
in End(_E). If £ were inert, it would divide both — 1 and its conjugate 0—1 and also the trace 
Tr (0 — 1) = t — 2. Since £ divides g + 1 — t this would imply that £ divides g — 1, a contradiction. 
So £ splits in Z[0]. Let {= (£, — 1) be the ideal in End(i?) above i. and containing — 1. This 
prime ideal divides 0—1 exactly e times, where e > ei is the valuation of M at £. Let A be 
the unique root of (X + 1)^ — t(X + 1) + g in that is congruent to modulo i. The £-adic 
valuation of A is e. The kernel of [^+^^ is cyclic of order The Frobenius acts on this group 
as multiplication by 1 + A. Let bi be a generator of this group. We set ti = 4>{hi) — and we 
check that ti has order (.^^ and is F^-rational. Indeed ti is left invariant by because e ^ e^. 

Assume now i divides g — 1 . 

So t;^(M) > > 2t;^(g - 1). We check 

t2 - 4g = (g - If + - 2M(g + 1) = (g - 1)^ + 0{t) 

where s = ve{M) > 2vi{q - 1) if £ is odd, and s = Vi{M) + 2 > 2ve{q - 1) + 2 if £ = 2. 

We deduce — 4g is a square in and i splits in End(£^). Let Ai and A2 be the two roots of 
(X + if — t{X + 1) + g in Z^. Since A1A2 = g + 1 — t = M, one of these two roots has £-adic 
valuation ^ e^. Assume for example f£(Ai) = ei ^ e^. The £'^1+'^'^ -torsion group E[i'^'^^'^'] has a 
cyclic subgroup Vi of order ^'^i+^f where acts as multiplication by 1 + Ai. 

Let bi be a point of order i^'^+^t in Vi. We set t£ = (j){b£) — be = Xib^. This is a point of order 

It is left invariant by because ei ^ e^. So again is in E[i'^^]{¥q). 

We now patch all these points together. 

We set t = J2e ^ = J2e ^i- We have 0(6) — b = t and t has order d. The order of the point 
6 is a multiple of Yl^ ^^'^^ = d'^. In particular db 7^ 0. 

□ 

Lemma 9 Let p be a prime and q a power of p. Let d > 2 be an integer. We assume that 

dq^ y/q. 

Then, there exists an elliptic curve E over ¥q, a point t of order d in E{¥q) and a point b in 
E(¥q) such that (j){b) = b + t and the order ofb is a multiple ofd^. In particular db 7^ 0. There 
is also a point R in E(¥q) that such that dR 7^ 0. 

Proof. We apply lemma [8] above to p, q and d' = 2d ^ 2y^. We obtain an elliptic curve E, a 
point t' of order d' = 2d in E(¥q) and a point b' such that 0(6') = b' + t'. We set t = 2t', b = 2b' 
and R = t and we are done. 

□ 
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5.2 Base change 

Let g be a prime power and let d be an integer. If d is too large we may not be able to construct 
an elliptic basis for the degree d extension of ¥g. We try to embed Fg into some small degree 
auxiliary extension K = Fg with Q = then construct an elliptic basis for the degree d 
extension L of K. We shall need the following lemma. 

Lemma 10 (Iwaniec) There exists a constant ^ 1 such that the following is true. 

Let k ^ 2 be an integer and letpi, p2, . . . , Pk be distinct prime integers. Let fit and fig be two 
integers with /i^ — /Xj ^ Ki^k'^ {log k^. Let I be the interval [/ij, yU^]. There is an integer n in I 
that is prime to every pifor i G {1,2, . . . , k}. 

This lemma is proven by Iwaniec in [fT4l . 

The number of prime divisors of d is 0(log d). We look for some integer / such that 

• / is prime to d(p{d) , 

• dgf = dq ^ q2. 

From Lemma [TOl we find some / that is 

Oihgqdq + (I0grf)2(l0g(l0grf))2) = 0((l0grf)2(l0g(l0grf))2). 

In this context, we call $q : Fg — » Fg the absolute Frobenius of F^ and = the Frobenius 
of K. Once given an elliptic basis for L/K, we can compute efficiently the action of ^q. Let 
F be an integer such that 1 ^ F ^ d — 1 and fF = 1 mod d. The restriction of $q to ¥gd is 
$q : ¥gd — > ¥gd. We thus can compute efficiently the Frobenius action on F^d using the elliptic 
basis for L/K. 

Elements in ¥gd being represented and treated as elements in L, we have a slight loss of 
efficiency: the size is multiplied by /. An element in F^d is represented by dlogQ bits instead 
of d log q. 

5.3 Inversion using Lagrange's theorem 

We have constructed models for finite fields where addition, multiplication and Frobenius action 
can be quickly computed. We should worry now about inversion. 

The inverse of a G F^d can be computed as a'^'*^^ because of Lagrange Theorem. This 
exponentiation can be done at the expense of 0(logg + logrf) multiplications in F^d using an 
addition chain for (i — 1 and another addition chain for q — 2. This is lfT3l Theorem 2] of Itoh and 
Tsujii generalized in EOl Corollary 30] by von zur Gathen and Nocker. The computation also 
requires 0{\ogd) exponentiations by powers of q. 
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5.4 Moving to a polynomial basis and quasi-linear inversion 

Using Lagrange's theorem for inversion is one of the possible motivations for using normal bases 
but it brings an extra log q factor in the complexity. This may harm if log q is bigger than any 
polynomial in log d. So it makes sense to look for an inversion algorithm that uses less than e.g. 
Kd{\og dY log I \ogd\ operations in where K does not depend on d nor on q. 

In this subsection we show that to any elliptic basis one can associate a polynomial r basis 
such that changing coordinates between either bases can be done in quasi-linear time. This gives 
another algorithm for fast multiplication in elliptic bases. More importantly, this allows fast 
division in elliptic bases. 

Let K = ¥q, d, L, E, t and b be as in the beginning of SectionUl We further assume 2db ^ 0. 
This is guaranteed if we use Lemma|9]and if d ^ 3. The unitary polynomial 

n(x) = {x- x{b)){x - x{b + t))---{x- x{b + {d - l)t)) G K[a;] 
is then irreducible. 

In order to simplify the presentation, we shall assume in the following that d is odd. There 
exist a degree (d + l)/2 unitary polynomial Yi E K[x] and a degree ^ (d — 3)/2 polynomial 
Fo ^ such that the function Yi(x)—?/Fo(a^) cancels at 6, b+t,. . . ,b+(d—l)t. Besides Yi and 
Yq are coprime and Y'i(x) — uYq^x) also cancels at —db. We precompute these two polynomials. 

We denote by 7^ C K(i?) the ring of functions having no pole outside {O, t,2t, . . . , {d—l)t}. 
The ideal b C 7^ of the closed subset {b,b + t,b + 2t, . . . ,b + {d — l)t} is generated by n(x) 
and Yi{x) — yYQ{x). 

The system (1, uo,t, ■ ■ ■ , uo,(d-i)t) is a K-basis of £i = C{0 + t + 2t + ■ ■ ■ + {d — l)t) 
and reduction modulo b (evaluation at b) defines a bijection ei : £i — K(6) = L. The system 
(1, uo,tib), . . . , uo,{d~i)tib)) is the elliptic basis il. 

The system (1, x, x^, . . . , x^~^) is free and generates a subspace C2 of C{{2d — 2)0). Re- 
duction modulo b (evaluation at b) defines a bijection 62 : £2 ^ = L. The system 
= (1, x{b),x{b)'^, . . . , is a K-basis of L. This is a polynomial basis. 

In order to change coordinates from 1] to ^ and baclsQ, we now explain how to quickly 
evaluate the bijections o ei and e^^ 0^2. 

From r2 to 

Recall we have set Uk = x{kt) for k E Z/dZ. Equation ^ shows that there exist constants 
Sk = aix{kt) + 03 + y{kt) in K such that for 1 ^ /c ^ c? — 1 

_y + Sk 

UO,kt — • 

X - Uk 

Any function / in £1 is a combination 



r , y + Sk 

/ = ao + 2^ ak 



X — Vk 



^Recall that changing coordinates from il to and back is done in linear time as explained in praragraph l4.2l 
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with ccfe e Fg for ^ A; ^ d - 1. We set 

D{x)= II {x-Uk). 

We can rewrite / as {U{x) + yV{x))/D{x) where U{x) and V{x) are polynomials in K[a;] 
with degree ^ 

The numerator U{x) + yV{x) can be computed at the expense of 0(d(logd)^log | logd|) 
operations in ¥g using a divide and conquer algorithm. 

Now the function / is congruent modulo b to {U{x) + M{x)V{x)) / D{x). There exists a 
polynomial W{x) G K[a;] with degree ^ d — 1 that is congruent to the later fraction modulo 
Il{x). We compute it at the expense of 0{d{\ogd)'^ log | log(i|) operations in using standard 
fast modular multiplication and inversion algorithms. This polynomial W{x) is nothing but 

^2-^(ei(/)). 

From toQ . 

Conversely, let W{x) e £2 be a polynomial in K[a;] with degree ^ d — 1. We look for a 
function / = «o + ^i<k<d~i ^k{y + Sfc) /{x — v^) in Ci that is congruent to W{x) modulo b. 
For A; 7^ in Z/dZ we set 

Dk{x)^ Yl {x -vi) = D{x)/{x - Vk)- 

l^«<(d-l)/2, i^itfemodd 

We assume we have precomputed the for 1 ^ k ^ (d — l)/2 using fast multipoint 

evaluation of the derivative D'{x) at the expense of 0{d{\ogdY log | log(i|) operations in F^. 

We first compute a degree ^ d — 1 polynomial N{x) that is congruent to W {x)D{x)Yq{x) 
modulo Ii{x). This is done at the expense of 0{d{\ogdY\og \ \ogd\) operations in Fg using a 
standard fast modular multiplication and reduction algorithm. 

We have 

N{x) = D{x)Yo{x)f = aoD{x)Yo{x) + J] akDk{x){Y,{x) + SkYo{x)) mod b. 

The leftmost and rightmost terms in the above congruence are polynomials in x with degree 
^ d — 1. Therefore they are equal. Since Dk — D^k, we obtain 

N{x) = aoD{x)Yo{x) + J] {ak{Y^{x) + SkYo{x)) + a.k{Y^{x) + s.kYo{x)))Dk{x). 

l^fe^((i-l)/2 

We set 

^0(2;)= {akSk + oi^kS-k)Dk and Ai{x) = {ak + a^k)Dk (16) 

l^fc^(d-l)/2 l<fc^((i-l)/2 

and we obtain 
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N{x) = aoD{x)Yo{x) + Ao{x)Yo{x) + Ai{x)Yi{x). 

We now reduce this identity modulo Yi(x). Let N{x) E K.[x] be a polynomial with degree 
^ {d~ l)/2 that is congruent to N{x)/Yq{x) modulo Yi{x). We have Aq(x) = N{x) — aoD{x) 
where is the only constant in K such that N{x) — aoD{x) has degree ^ (d — 3)/2. Once we 
know «o and Ao{x) we set Ai{x) = {N{x) — aoD{x)Yo{x) — Ao{x)Yq{x))/Yi{x). 

From equations (fT6l) we deduce 

akSk + a_kS-k = Ao{uk)/Dk{iyk), 
ak + a.k = Ai{vk)/Dk{vk)- 

These pairs of equations allow us to compute all the from the y4o(z/fc), Ai^Uk), and Dkii'k) 
at the expense of 0{d) operations in K. The Ao(z^fc) and Ai^Uk) are computed using a fast 
multipoint evaluation algorithm at the expense of 0{d{\og d)"^ log | log d\) operations in F^. 
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